6a9dc963d78ea2b01cacbe412b62a02a09bd7a8134573e69160f13829bc803dd

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82e6642b98265efb810443322f18d30N.exe
Size

120KB
MD5

c82e6642b98265efb810443322f18d30
SHA1

ef782aaf5fb0aaaaab5837be1c00ff28a2d21036
SHA256

6a9dc963d78ea2b01cacbe412b62a02a09bd7a8134573e69160f13829bc803dd
SHA512

a2c1b43b551f1e93c645d3c2d3fd15fbf17f1d0b2b6b822f7264c354689086d69bf130ca5ccd067550753f59ebc3baf946b09eb840d9e27dffb1c2ec96b18e92
SSDEEP

1536:d5rQ0sjPyJQowcD2mOtB0SvGwsypy9YLYjG1wkABQjz0cZ44mjD9r823F4:d58nja+p4CB0Gsypylj/Bxi/mjRrz3C

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhifi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Babcil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfogbjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enhifi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cienon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphqji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c82e6642b98265efb810443322f18d30N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banjnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Binhnomg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajbaika.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphqji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c82e6642b98265efb810443322f18d30N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egpnooan.exe

Executes dropped EXE 59 IoCs

pid	Process
3448	Banjnm32.exe
3056	Bjfogbjb.exe
512	Bmdkcnie.exe
4384	Bdocph32.exe
2440	Babcil32.exe
2528	Bfolacnc.exe
1912	Binhnomg.exe
2240	Bphqji32.exe
1264	Bkmeha32.exe
1456	Bagmdllg.exe
1276	Ckpamabg.exe
3948	Cpljehpo.exe
2336	Cienon32.exe
672	Cdjblf32.exe
4228	Ckdkhq32.exe
3692	Cpacqg32.exe
5028	Ckggnp32.exe
2200	Cmedjl32.exe
3108	Cdolgfbp.exe
3388	Cgmhcaac.exe
1060	Cpfmlghd.exe
4296	Dkkaiphj.exe
912	Dmjmekgn.exe
1592	Dcffnbee.exe
4992	Dknnoofg.exe
1036	Dpjfgf32.exe
3856	Dgdncplk.exe
2504	Dajbaika.exe
3208	Ddhomdje.exe
4600	Dnqcfjae.exe
3372	Dpopbepi.exe
2276	Dncpkjoc.exe
3304	Dcphdqmj.exe
3064	Ejjaqk32.exe
4692	Epdime32.exe
2164	Egnajocq.exe
3852	Enhifi32.exe
1652	Edaaccbj.exe
764	Egpnooan.exe
1604	Eafbmgad.exe
1848	Eddnic32.exe
380	Ekngemhd.exe
4344	Eahobg32.exe
1480	Ecikjoep.exe
1968	Ekqckmfb.exe
2060	Eqmlccdi.exe
4896	Fclhpo32.exe
4244	Fqphic32.exe
2484	Fgiaemic.exe
1936	Fjhmbihg.exe
4952	Fqbeoc32.exe
4540	Fkgillpj.exe
3636	Fdpnda32.exe
1928	Fkjfakng.exe
724	Fnhbmgmk.exe
1464	Fdbkja32.exe
1776	Fgqgfl32.exe
624	Fbfkceca.exe
4140	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kbpkkeen.dll	Babcil32.exe
File created	C:\Windows\SysWOW64\Lljoca32.dll	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Dncpkjoc.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Ncjiib32.dll	Dpopbepi.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Enhifi32.exe
File opened for modification	C:\Windows\SysWOW64\Binhnomg.exe	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Cpfmlghd.exe
File opened for modification	C:\Windows\SysWOW64\Egpnooan.exe	Edaaccbj.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Eahobg32.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Ekqckmfb.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fqbeoc32.exe
File opened for modification	C:\Windows\SysWOW64\Cpacqg32.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Icembg32.dll	Egnajocq.exe
File created	C:\Windows\SysWOW64\Ojimfh32.dll	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Fdpnda32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Fkjfakng.exe	Fdpnda32.exe
File opened for modification	C:\Windows\SysWOW64\Banjnm32.exe	c82e6642b98265efb810443322f18d30N.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Dpjfgf32.exe
File created	C:\Windows\SysWOW64\Eclhcj32.dll	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Ipecicga.dll	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Bkmeha32.exe	Bphqji32.exe
File created	C:\Windows\SysWOW64\Bhkacq32.dll	Epdime32.exe
File created	C:\Windows\SysWOW64\Ecikjoep.exe	Eahobg32.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Fqphic32.exe
File opened for modification	C:\Windows\SysWOW64\Fdpnda32.exe	Fkgillpj.exe
File opened for modification	C:\Windows\SysWOW64\Bmdkcnie.exe	Bjfogbjb.exe
File opened for modification	C:\Windows\SysWOW64\Cpljehpo.exe	Ckpamabg.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmlghd.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Bmdkcnie.exe	Bjfogbjb.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjmekgn.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Eqmlccdi.exe	Ekqckmfb.exe
File opened for modification	C:\Windows\SysWOW64\Fkjfakng.exe	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Bjfogbjb.exe	Banjnm32.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Cienon32.exe
File opened for modification	C:\Windows\SysWOW64\Cgmhcaac.exe	Cdolgfbp.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Enhifi32.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Dooaccfg.dll	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Epdime32.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Enhifi32.exe
File created	C:\Windows\SysWOW64\Banjnm32.exe	c82e6642b98265efb810443322f18d30N.exe
File opened for modification	C:\Windows\SysWOW64\Bfolacnc.exe	Babcil32.exe
File created	C:\Windows\SysWOW64\Mjaofnii.dll	Binhnomg.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Enhifi32.exe	Egnajocq.exe
File opened for modification	C:\Windows\SysWOW64\Babcil32.exe	Bdocph32.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Babcil32.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dmjmekgn.exe
File opened for modification	C:\Windows\SysWOW64\Dknnoofg.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Kdfepi32.dll	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Elkodmbe.dll	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Dcphdqmj.exe	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Egnajocq.exe	Epdime32.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Eafbmgad.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Fclhpo32.exe	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fkjfakng.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5080	4140	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafbmgad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjfgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajbaika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egnajocq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c82e6642b98265efb810443322f18d30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkmeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eahobg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdocph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckggnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdolgfbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfolacnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncpkjoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epdime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpacqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknnoofg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdncplk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfogbjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckpamabg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cienon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphqji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagmdllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjhmbihg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babcil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binhnomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c82e6642b98265efb810443322f18d30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmpkall.dll"	c82e6642b98265efb810443322f18d30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Banjnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll"	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipecicga.dll"	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbpdlg.dll"	Dpjfgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Babcil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolphl32.dll"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclhcj32.dll"	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dajbaika.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjaofnii.dll"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkodmbe.dll"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dajbaika.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eddnic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c82e6642b98265efb810443322f18d30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll"	Ckpamabg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphqji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoefe32.dll"	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkacq32.dll"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll"	Fjhmbihg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 3448	4468	c82e6642b98265efb810443322f18d30N.exe	92
PID 4468 wrote to memory of 3448	4468	c82e6642b98265efb810443322f18d30N.exe	92
PID 4468 wrote to memory of 3448	4468	c82e6642b98265efb810443322f18d30N.exe	92
PID 3448 wrote to memory of 3056	3448	Banjnm32.exe	93
PID 3448 wrote to memory of 3056	3448	Banjnm32.exe	93
PID 3448 wrote to memory of 3056	3448	Banjnm32.exe	93
PID 3056 wrote to memory of 512	3056	Bjfogbjb.exe	94
PID 3056 wrote to memory of 512	3056	Bjfogbjb.exe	94
PID 3056 wrote to memory of 512	3056	Bjfogbjb.exe	94
PID 512 wrote to memory of 4384	512	Bmdkcnie.exe	95
PID 512 wrote to memory of 4384	512	Bmdkcnie.exe	95
PID 512 wrote to memory of 4384	512	Bmdkcnie.exe	95
PID 4384 wrote to memory of 2440	4384	Bdocph32.exe	96
PID 4384 wrote to memory of 2440	4384	Bdocph32.exe	96
PID 4384 wrote to memory of 2440	4384	Bdocph32.exe	96
PID 2440 wrote to memory of 2528	2440	Babcil32.exe	97
PID 2440 wrote to memory of 2528	2440	Babcil32.exe	97
PID 2440 wrote to memory of 2528	2440	Babcil32.exe	97
PID 2528 wrote to memory of 1912	2528	Bfolacnc.exe	99
PID 2528 wrote to memory of 1912	2528	Bfolacnc.exe	99
PID 2528 wrote to memory of 1912	2528	Bfolacnc.exe	99
PID 1912 wrote to memory of 2240	1912	Binhnomg.exe	100
PID 1912 wrote to memory of 2240	1912	Binhnomg.exe	100
PID 1912 wrote to memory of 2240	1912	Binhnomg.exe	100
PID 2240 wrote to memory of 1264	2240	Bphqji32.exe	101
PID 2240 wrote to memory of 1264	2240	Bphqji32.exe	101
PID 2240 wrote to memory of 1264	2240	Bphqji32.exe	101
PID 1264 wrote to memory of 1456	1264	Bkmeha32.exe	102
PID 1264 wrote to memory of 1456	1264	Bkmeha32.exe	102
PID 1264 wrote to memory of 1456	1264	Bkmeha32.exe	102
PID 1456 wrote to memory of 1276	1456	Bagmdllg.exe	103
PID 1456 wrote to memory of 1276	1456	Bagmdllg.exe	103
PID 1456 wrote to memory of 1276	1456	Bagmdllg.exe	103
PID 1276 wrote to memory of 3948	1276	Ckpamabg.exe	104
PID 1276 wrote to memory of 3948	1276	Ckpamabg.exe	104
PID 1276 wrote to memory of 3948	1276	Ckpamabg.exe	104
PID 3948 wrote to memory of 2336	3948	Cpljehpo.exe	105
PID 3948 wrote to memory of 2336	3948	Cpljehpo.exe	105
PID 3948 wrote to memory of 2336	3948	Cpljehpo.exe	105
PID 2336 wrote to memory of 672	2336	Cienon32.exe	106
PID 2336 wrote to memory of 672	2336	Cienon32.exe	106
PID 2336 wrote to memory of 672	2336	Cienon32.exe	106
PID 672 wrote to memory of 4228	672	Cdjblf32.exe	107
PID 672 wrote to memory of 4228	672	Cdjblf32.exe	107
PID 672 wrote to memory of 4228	672	Cdjblf32.exe	107
PID 4228 wrote to memory of 3692	4228	Ckdkhq32.exe	108
PID 4228 wrote to memory of 3692	4228	Ckdkhq32.exe	108
PID 4228 wrote to memory of 3692	4228	Ckdkhq32.exe	108
PID 3692 wrote to memory of 5028	3692	Cpacqg32.exe	109
PID 3692 wrote to memory of 5028	3692	Cpacqg32.exe	109
PID 3692 wrote to memory of 5028	3692	Cpacqg32.exe	109
PID 5028 wrote to memory of 2200	5028	Ckggnp32.exe	110
PID 5028 wrote to memory of 2200	5028	Ckggnp32.exe	110
PID 5028 wrote to memory of 2200	5028	Ckggnp32.exe	110
PID 2200 wrote to memory of 3108	2200	Cmedjl32.exe	111
PID 2200 wrote to memory of 3108	2200	Cmedjl32.exe	111
PID 2200 wrote to memory of 3108	2200	Cmedjl32.exe	111
PID 3108 wrote to memory of 3388	3108	Cdolgfbp.exe	112
PID 3108 wrote to memory of 3388	3108	Cdolgfbp.exe	112
PID 3108 wrote to memory of 3388	3108	Cdolgfbp.exe	112
PID 3388 wrote to memory of 1060	3388	Cgmhcaac.exe	113
PID 3388 wrote to memory of 1060	3388	Cgmhcaac.exe	113
PID 3388 wrote to memory of 1060	3388	Cgmhcaac.exe	113
PID 1060 wrote to memory of 4296	1060	Cpfmlghd.exe	114

C:\Users\Admin\AppData\Local\Temp\c82e6642b98265efb810443322f18d30N.exe
"C:\Users\Admin\AppData\Local\Temp\c82e6642b98265efb810443322f18d30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\Banjnm32.exe
  C:\Windows\system32\Banjnm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\SysWOW64\Bjfogbjb.exe
    C:\Windows\system32\Bjfogbjb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\Bmdkcnie.exe
      C:\Windows\system32\Bmdkcnie.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:512
    - - C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4384
      - C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 412
        61⤵
        Program crash
        
        PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4140 -ip 4140
1⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Babcil32.exe

Filesize
120KB

MD5
d973e674e4f05f0016df8b899250fea5

SHA1
e567b5b3c3155713e75e0f4d5fd97a81f82cf32a

SHA256
a94e7bc174539ce8ce8cf8bd1a11a7c9d398a821eb0d57212ec215d2f2860597

SHA512
74168d0cf71f6077e14b459859539470e36c136874a67fc5ac4cfc61fb0f00bd27507d228518a57afd109ca8f0e9ed47135dae034731fe1c48f4ec304da913e1

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
120KB

MD5
23cb7f6e5699afab9cd5d86e816fb831

SHA1
44553bf7c3c065b5c48f38cf9eb0b74370234c54

SHA256
4527ebb2a9645b836854ee619b06bf7243743713e73fcbea69154d1e2bfaf6e8

SHA512
9ce7f6687c51bde987b5e1bbe896e4b475603ac14009476f63549a5d5a7a576690d8673f3b5e0cb0c20686123a49c3a25cf7cd137fb2b723cef161a8854573f4

Download Submit
C:\Windows\SysWOW64\Banjnm32.exe

Filesize
120KB

MD5
413dc8b252976d9ea007135f323ab9d3

SHA1
48c6e35ecd7b8bdc58f8602caeaa58a131f3738b

SHA256
0a371f328ea42040dbaea28c431fba000dd08ea6f797fdfcc8e3ac1050d7fb05

SHA512
65de03af3f74ae05794c7bce7883f2d2dc08ab65eaf15699602c0e93373edfa311f823eb78a3c406e69f410fece0b948da4af46e15507494eac13ac7eef545ed

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
120KB

MD5
16dcf5e0dd42558290ec8a7ba7ed5d35

SHA1
c2b3709560a92078ee8154d97f61fd5226ed1af9

SHA256
55aebbaee03171a974b0fbd546740ee0cf12ca45f14c2317051efa54490c15f9

SHA512
0e772252074b17096d01b6ec8ae6fb829a5234bab742f6010032b5f29f5f15c6d08de3bf2f31e30378f907f39639f30d1f31b2ee943ddd75e20fe7fbd9d1f2ae

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
120KB

MD5
4a3c9a631999f1918c12c48f3b2c2411

SHA1
82831bfcf82f7938b37b8e625904a9ae8d8eb444

SHA256
666b9238fa8da9bb7777b3850c3780856a523cd61f0573e23a24e01568c556b7

SHA512
f3057790fb7ce50ac8e1fbfc95fc9570750ba36a990aecb5b4738dac675d84a3f09b87698293a0cfe03e0a299eac2c8f8a9729c8c12cb424bfa3c5418c3738a0

Download Submit
C:\Windows\SysWOW64\Binhnomg.exe

Filesize
120KB

MD5
15dfa6887878b4e5865776b906a3d49e

SHA1
d787bf296deeff7c3d7763c0738735e18cab4182

SHA256
3d0af77a508ee82d035aee1c6b309a95794095cce0201addb6797cd9f1a5a784

SHA512
3214c86fbaa0e952b5780252cfa8efe9a9e9d549095cb05db99530ac6d63549b6fb2500070b5a42908c7416a6c40e2389ccbe5b768c4723bbb9de3dc75b0ac27

Download Submit
C:\Windows\SysWOW64\Bjfogbjb.exe

Filesize
120KB

MD5
1d10162f0c51131e13b89f569297642f

SHA1
a74ef08e7a7a70c49975676e22490a182a602f26

SHA256
ffb12b2ab0cef41639562c946fa2a0887eccd6ac8a95b21e11ed4fc0ee956a41

SHA512
a3c5ab534e76fbd2876a4713f3d778754e4ea1c25cd4716bb5aa8f6a9379f676339ca5d9c3ce36a9cd9b24ff024283197dcaeee3952a1bc14904e060efc5afe2

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
120KB

MD5
b3211dac0657262fdd3c609ca308a8cc

SHA1
4285784d949f420837fc8527e3881fc2cd769111

SHA256
219576e5be256ac20509fa3f6dc01835a8e9175e32e79ecd7b866086db8d4433

SHA512
b03959d9f274df8000cd5372caced91400707a25187aaede6b3975948889b494872ea3e4334cd0a5fe8b8bf2c0d3f4f08d5a2f1848eca070a96cd1046f463fa9

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
120KB

MD5
bdfd60ad4c4751f8a9bf2bf01b6d4289

SHA1
cce6b53a6a4375542ad5cd1a24433b60e931f5eb

SHA256
f7a420f2b3326fc598076ef6ee50f67f72fa71bd80824dc3f7e7d6141d65a988

SHA512
b59cf3a0cf18bb9130eb50a12fc935fb6b0f92b679055078a8805be5a7aec973a3ded68add2e1ffa86c5f269e696f5ca84fa490528d4290f75dab9955f0d42bf

Download Submit
C:\Windows\SysWOW64\Bphqji32.exe

Filesize
120KB

MD5
ded52ce403b8ff5dba89182adb975758

SHA1
273d8d12e84b5821166f5917217da34024205c6f

SHA256
d102e4b18bc3a30ee3b5a272e02f5d1d39719d434748ca2825ec59e264f55af2

SHA512
5f10b1f5f1c57112b65536d57f7e5cca9027e1db8b541fb7b00b6f08c1fb1059fd7de419b35721449f082927673e4771796656e49e268a565a6060b13b43b439

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
120KB

MD5
1d2af968d9e6963f78bd817d31cdbd68

SHA1
732db634d5e43ce34fbb58f40d05678eb25310fa

SHA256
547f13630d018f8c05556399211427dfb518328e65fdb9cadf2efb0ed4578421

SHA512
173024b153340630cf3c94b46db173c5d784dd3fee696e6ce054c593a7e229ea3899ca19578ac2ea4ddda95fdfb033d34be41c5fabfe774f85ef5b8a216397fc

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
120KB

MD5
a9b9b5f18219dbe94d9c593529bafe01

SHA1
114ea02350504af30fd7a67f6db6154b88fbca1a

SHA256
b1423d4a86bfabf47c0fb3c404cdf2af60642e7e2e3a9594987af98e2844a0cc

SHA512
33d855fd4c2ecae08427608d2839b607ad4390be999057cdab08a1e4b96072addaffb1b898a541691aad4c0f258e7d56b0d6e60627d1c736a40d4099c745d0fc

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
120KB

MD5
a3516aea77b61fbe01be220c2a689612

SHA1
08fc8ed823fd726b2d66bfbb124c9cd8fe98f98e

SHA256
998aced328ad12d2d99e9e370c1b83a3cedfc238bb461cb1eea72e6d87ce5663

SHA512
4fa4e2cd96620ba5a2331b5f333c38c59edae49cdd6ac50856d1b0b9e4c1dd1274a1f03025b10f50fd11a3d16606c8fa20b0e9fb187b95f9ee04117d14fdcdfa

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
120KB

MD5
01bcbf6e9200836328bc864e95a07fc0

SHA1
8eeac1ff4a6f29a20436823afcc68e67a33b798c

SHA256
53ed2266cb4d47fc098f06c5b67947e0afecd736b140cdcc6b3d9b3646559103

SHA512
96e46a4948f2acc8e6400c5023086b9e95f5e579388c1d26bca25aa5f17204180128ff7b67b42ca7fb5c881a08741a53fa8cdf696944f75845e730fa8ecbf99b

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
120KB

MD5
e5b041717a2ba1699520ebaa3cbdfb9c

SHA1
56f98c5b8c165319827041c9dfdcfb6cb02dc86c

SHA256
953534aabb6017e65abfa8f0edbd49ee15b58907e0fab2839acad6195d7f74a1

SHA512
727212f6245fd4b8f944734fec21573fe768fce129a0cf1f5c8a0d7876bb36bcf5d2f7d42554244cba063c839e4f12c5cd87867e33aee48ceb1ab4516fe4e493

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
120KB

MD5
d7f3c16c46f9dd02cb65e3e3ec71738c

SHA1
74dac05a63046927d4db2e72b68e5f54ed000619

SHA256
565337db1626e5e01621621d45d3df4c02f86ca200b1b25e5b8acfdb6fce49a2

SHA512
3d0dafdacfb340d6c62dd3ce9fc17594db72963e6dd8311abda0764d98bd51e1129d2af62169d6f3a47b276b60d32fbbe7e83a768b923a4d95f15476b86be66d

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
120KB

MD5
74282a56cf81e248b20b75e597887395

SHA1
ac58c8f57a0c77c16131613fac109833724da664

SHA256
239b62c1599fcb30deaf9dbbe0f250eda2419bc217f272a91eadde96f1d6e054

SHA512
60d6a7a5c5061c9b0c5458a53df27e1c42d011d258a9911774d9f24e84a999697df7384cea13e7f3e21ee3b3be0892901947bcf1b2b5b08a72c7294ac3f48377

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
120KB

MD5
4970d0258209772691c2d04a2e2e14a5

SHA1
ffc189a5ba59e70c815c04b2fac3d05743a931b0

SHA256
fe68dc7ba27a882db313c9437e6be34de7c1e85c1e1b15ced30f8a125113d51a

SHA512
a9e862893301818eb1cbe8eba4309284b0aeb64e33016e1d156f443f2d9a0a213b7d41eb9b82cb80437259976709af8a18f8259d214a884ad1379933e7260c4e

Download Submit
C:\Windows\SysWOW64\Cpacqg32.exe

Filesize
120KB

MD5
e9c17d7935137d807d5090b115d440be

SHA1
559ae4b6b5bf17a7f951b7a47e0d1823c458d3c1

SHA256
1943286bc406a74dca0199a87826c2a4a81c11ddf7b1b67fc98a59f588c73df6

SHA512
90148517c0aadee1c08260d6d1d7652de30699011372482edc20cd7c05ec3b13a7f4657605dcd8b2b63f815a5e493092ced5a458f8979eeafd8214dfbd12dfd4

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
120KB

MD5
455c340ed6f27f50f296c07ed49a0bc1

SHA1
200a645a69bddf15e77ad5f7c643d3f76816f2db

SHA256
a88809d5a6c1cc9ef5ff4fb5f9c2cb85b6d625cbf3b18c906791bddb6889ed2f

SHA512
d8006e8742430b10eb353acb1bc7f6b17bd6a2c33a27d1c75db9e1481ec3cd32d0845b0495e320435428b171a1bc8f184a19232a336de17a1d2fc8e4b969ab67

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
120KB

MD5
fab058a142957006f9c6f38090a7068e

SHA1
6b985ff23756d899cabdeefd994ca105505537df

SHA256
44743c2715d0ae61447ac1dbfa3526625218009e7f3d9d3cc46bee6448992db0

SHA512
8a3205701af35cb15038fb85e54588308499266c36059cbb13e34d20dba819bc12d09ecaae41d3009bc16186674219bfe744645c737629220eb9a4a3cecf60cb

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
120KB

MD5
dc9cad24e16400a9d5c627f8e6451ae2

SHA1
95e9de20ba0148df88144e3bc5ad69994230e74d

SHA256
4bcf0569fc60dc820c1089f4d59299d44f34540727b490a9d0289baf60bfb0d0

SHA512
0e2257bd87a22e499511c16d53e9ecc1e744298bc5cfa5a7f40ecc2c1a401e5d45b45723bcf117dd7fafac40d30ae7dd41ac30d2116cc958896325d9dcffb804

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
120KB

MD5
4dc4b92d88dcf767282020b78caa8f7f

SHA1
50042ddd49262b6390a9406dfc87e9dcb1dda944

SHA256
cd3899d50dcbc299a4bd0cf13adfcca4843783f59aa4f9b333233dcc865e756f

SHA512
899e783dee55e5fcb9a936ba53258741b958feb3f52aa00e947bd7fd22a8ed3ecd01f93bcb86c7748565c6306aef457a0213c17573b67ccf1d888a3c92c06cb3

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
120KB

MD5
8f4aabe33c8b2b858cf2a05b015f9459

SHA1
7a6ab56eaa8de47d9791fa73be7f0e93593cafac

SHA256
2213976adde337c2c7fbbab109c61160e4018f37e0a5304e4756ef33a410231d

SHA512
98b07bc891b7fd4348f5ddda076e72fe910954e84c59994c316421596df671a852fdb3564ebf16e979cbaa1432f6be8c425e381e72ec8848b6876bb457844898

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
120KB

MD5
72b90ded8ad88dc1fd799dbd8aa055cd

SHA1
6535717352cf3ffa8b2ae7f05003d89fd080082a

SHA256
07c25f9fbfcc9c922c0d2079d593c640ecba81f7de9f230c7d63d82dde032146

SHA512
5c32f5e3f23c6040bd69bda7057e5e29cdacb2c97885a9e76525611fbd9ba46d9ffca78afabf021450a570b59c380e93f4d97460f2a95ecd61fd3bd543dace18

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
120KB

MD5
6b96002a6b1f20df3c585f21d90677e7

SHA1
5058d13c3123841cdbdf2663a4fbda9785cc9ff2

SHA256
a3021f6d377c31b4f9e8b63bd80be076ad8db4e2192708d6b0f8682541f51df4

SHA512
b968f08ece77b19d87c02919afaa2045d01c8e5d41ae6205a47a3b7b693ac3298475702ad90fd7017ad0a5bca4a3709a5480e67155e9ad7d7c53c919ac7234ef

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
120KB

MD5
2e396711e0f70ae99b6c0038c0089f37

SHA1
1112912cf70d9117e74d2a1775efd95192938422

SHA256
cdfaaf31c81546436a8860b65217711e326ed856edab511473c850331890c43b

SHA512
17691e26f72bb6995ae3eff53adfda242f35b72065293bff43f2ff2316bf340e45aace9d3c4ac1c25b7426dea83a911df2f1a85e4bd32b92050ef03a6ecf893d

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
120KB

MD5
702e61410e703d5c5514af69124d1ded

SHA1
0d375fe0fadad0463014feacbe0f454bf67c593d

SHA256
e0624dd324200d3bfb8346d399596847c2feb975cf9bacb7f5feb40b708bbf5e

SHA512
1e9777d54ab96f85f257043ef54ccb370d160563c96c9c4c39951f29b2af2a6bf53fb8a09be8d74ff311bf28d652c90978754e65d3bbdc7b4c2d99b19cb847c6

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
120KB

MD5
9b628396975a7a176c7c52da795dc0ad

SHA1
fe4875dcddd8e9a8b54ddf4913ab4451dd0b637b

SHA256
b7e052d2e1535516afb50d58df236aac443ed8cef633a8fe64daad881399f69a

SHA512
c95e3b79490df9a1d6667cd4b258765263638ccc5ec8f0c084f98fa864222502eaed603b92625611ff970738823bb93c41c5ba4f6e0faf353b3b9efd9e7fc479

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
120KB

MD5
24a5312e4131f2466cf2865661dcfa8d

SHA1
f7773e4a37e1f9cab0dfad5d6900d255de92d575

SHA256
3dbee9f6c1e4460b239a5308adb46fbd07496802d06ef4785bf309b90783576c

SHA512
1029883a7427ee12e9981225f11fc0038cba58f6292d9e12c2dd00f236cd32718c9ee5091c8a3c84a2490d4b7629286667f7bfd97c3042086352ca956f71b00e

Download Submit
C:\Windows\SysWOW64\Dpjfgf32.exe

Filesize
120KB

MD5
7176e2dd936e3dd080eed8ca846a3142

SHA1
b4b12ce8ec76547e40f49c42b17269a3086983cf

SHA256
4e4a905fed12841f99eb563c403adc5d4b5c0f7ec27ca3e2033848234e04820e

SHA512
dfd820e19aa44c86ea68fe86b8b71381f665353cdbc229a687142e093cdaf88450272f7599784000e87d3c657cc65bab4b0182cd2f742021ca83e9d9deb308e7

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
120KB

MD5
aa731f2f5576378ee33f01041b54b396

SHA1
9b47facfba28ee71494c76f8cd5897154efbb28a

SHA256
c1a0405eaafdcc28d90d56254e296aae54a9817fcac27b76a17245b3dc6fb991

SHA512
5d13f4ff4206fc7507b5059a621f94f4baf2acec707560311e52e8d7c854a586afe1ee1430a34cd05cf26d4ae471d9c23f0bb78a85219e62e943487f9e154d68

Download Submit
C:\Windows\SysWOW64\Fcanfh32.dll

Filesize
7KB

MD5
2916b316024f37911fa13418f5849ee6

SHA1
b3d0ff9179ae3af734a67eb9168486aa2008b206

SHA256
8256dc6b88fa11ab741651068d42653c9fed53d633f9d0cfb202d031465f0e24

SHA512
9075a4ab439a2da1d73db2d8a1218ee58b0854d7038822cdb6f385ad1c22e8cfbb49ad5e9c980041e02e8da3ad030c033669690c190c5966640a5243e3376241

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
120KB

MD5
bba48ebb261f3015af1c413de6d3e815

SHA1
016536d6ca12624b8671b76660be2244032efd0e

SHA256
f02c0e2372810b34908cfdeefd4032ce38e89ca559756f2a1000d9f752d6cb28

SHA512
ae1fdc9b8f5b1afbfa3325f79c2d29ca3daeb5edebdfa7b394021d4ffc17693d66a30f54be3ca1717cde6eb948bddbff9506753081d425cf960c4284b874aa6b

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe

Filesize
120KB

MD5
9da8e57644c0364b586e23b8ad731947

SHA1
7a0fad05cc295a2632363e16263d9993a48fa254

SHA256
ff6d7ce7a6d65255a100ba471dcd0ddffa24b82999ffb7dd1b1f4b4ccfae1f99

SHA512
5ebda6fd0c00f6f88c4080f6632963124eb0781018f1a7f17a7322cef4331382f884181b67b2da7b6de21d20ceb30bb71e4c806cd47d6b628bd0e174dfbe8687

Download Submit
memory/380-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/380-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/672-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/724-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/724-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1264-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3852-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3852-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads